Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Certificate with multiple CN fields - valid?

1,949 views
Skip to first unread message

John Nagle

unread,
Jun 1, 2010, 10:23:39 PM6/1/10
to
Normally, when a certificate is to be valid for more than one
domain name, one name is in the "CN" field, and the others are in
the "subjectAltName" extension.

But look at the cert for "https://www.ipmirror.com/". It has

CN = admincms.ipmirror.com
CN = business.ipmirror.cn
CN = business.ipmirror.com
CN = business.ipmirror.de
CN = business.ipmirror.jp
CN = business.ipmirror.kr
CN = chat.ipmirror.com
CN = customer.ipmirror.cn
CN = customer.ipmirror.com
CN = customer.ipmirror.de
CN = customer.ipmirror.jp
CN = customer.ipmirror.kr
CN = demo-business.ipmirror.com
CN = demo-customer.ipmirror.com
CN = imap.ipmirror.com
CN = netrunner.ipmirror.com
CN = ote-business.ipmirror.com
CN = ote-customer.ipmirror.com
CN = ote-rapi.ipmirror.com
CN = ote-registryconsole.ipmirror.com
CN = rapi.ipmirror.com
CN = rapiote.ipmirror.com
CN = rcube.ipmirror.com
CN = register.ipmirror.de
CN = registryconsole.ipmirror.com
CN = telhosting.ipmirror.com
CN = www.ipmirror.com

This was issued by

CN = PositiveSSL CA
O = Comodo CA Limited
L = Salford
ST = Greater Manchester
C = GB

Validity dates are
(1/6/2010 0:00:00 AM GMT) to (7/10/2010 23:59:59 PM GMT)
so it's a currently live cert from a major CA. The
cert chain validates properly.

Is this considered valid?

John Nagle
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org

Konrads Smelkovs

unread,
Jun 2, 2010, 6:13:15 AM6/2/10
to
"Valid" is whatever browser understands. As X.509 is/was related to LDAP, then having multiple cn's in an entry is a no-no.
--
Konrads Smelkovs
Applied IT sorcery.

Willy Weisz

unread,
Jun 2, 2010, 9:27:35 AM6/2/10
to
In order to be valid for the authentication of multiple DNS names an
X.509 certificate has to have them included in the subjAlternativeName
entry not in multiple CN entries in the subjectName. The latter
represents a single entity with potentially multiple CN entries, not
multiple entities each with a single CN.

Regards
Willy Weisz


--
-----------------------------------------------------------
Willy Weisz

European Centre for Parallel Computing at Vienna (VCPC)
Computational Science Center
University of Vienna
Nordbergstrasse 15/C312
A-1090 Wien
Tel: (+43 1) 4277 - 39424 Fax: (+43 1) 4277 - 9394
e-mail: Willy...@univie.ac.at

Michael Ströder

unread,
Jun 2, 2010, 2:17:11 PM6/2/10
to
John Nagle wrote:
> Normally, when a certificate is to be valid for more than one
> domain name, one name is in the "CN" field, and the others are in
> the "subjectAltName" extension.
>
> But look at the cert for "https://www.ipmirror.com/".

This might serve as an interesting example for the people discussing
draft-saintandre-tls-server-id-check on the ietf-certid list:

https://www.ietf.org/mailman/listinfo/certid

Ciao, Michael.

0 new messages